The possibility of malicious npm packages was pointed out almost a year ago.
The root of the problem cannot be fixed in imperative paradigms. By definition, if you can tell the effects of any piece of code through static analysis, it's declarative (no side-effects), not imperative. And if you can't identify the effects automatically, you're going to have to read and understand the code all by yourself, which greatly reduces the time saved by using someone else's code.
There's a reason functional programmers keep raving about (safe) composition.
Admittedly, you could have an automated system that analyzes a subset of the code/syntax automatically, rather like the safe language extension in Haskell, which might work for a lot of cases.
We're a place where coders share, stay up-to-date and grow their careers.
We strive for transparency and don't collect excess data.